Yoast WordPress SEO Plugin Vulnerable To Hackers

Millions of WordPress sites may be exposed to a Blind SQL Injection vulnerability due to a security hole in the very popular Yoast SEO plugin. The plugin has been updated, make sure to update your plugin.

Chat with SearchBot

yoast-seo

The Yoast WordPress SEO Plugin that is used by over 14 million WordPress blogs on the web has reportedly been open to an exploit where hackers can do a Blind SQL injection.

A Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

It can be used to insert an SQL query into the database to either extract data, modify data or delete data. It is often used to insert unwanted or unauthorized affiliate, spam links, or malware/adware on sites.

If you are on WordPress, there is a good chance you are using this Yoast plugin. To fix the issue, upgrade to version 1.7.4 immediately. This version is documented to be a security fix based on what Ryan Dewhurst found during a security scan. The security fix says:

Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

You can learn more about the vulnerability at TheHackerNews.com.

Postscript: Yoast announced that the WordPress team actually automatically pushed an update to WordPress installs that run an older version of this plugin. So many sites running this should be automatically updated.


About the author

Barry Schwartz
Staff
Barry Schwartz is a Contributing Editor to Search Engine Land and a member of the programming team for SMX events. He owns RustyBrick, a NY based web consulting firm. He also runs Search Engine Roundtable, a popular search blog on very advanced SEM topics. Barry can be followed on Twitter here.

Get the must-read newsletter for search marketers.